Upload
hortense-palmer
View
215
Download
1
Embed Size (px)
Citation preview
12014 ACC-SoCal In-House Counsel Conference #IHCC14
January 29, 2014Anaheim, California
Sponsored by Crowell & Moring LLP
Panelists: Jeffrey L. Poston, Partner Jennifer S. Romano, Partner
How To Manage A Data Breach (“Incident”) Crisis
090701_3 3
#IHCC142014 ACC-SoCal In-House Counsel Conference
Typical Breach Costs $Millions
Forensics
Outside Counsel
Credit Monitoring
Security and Technology Upgrades
Fines
Settlements
Damages
Opportunity Costs
090701_4 4
#IHCC142014 ACC-SoCal In-House Counsel Conference
What Is At Risk?
Protected Health Information (“PHI”)– Health status, treatment or payment
– Identifiers (name, SSNs) and health information
– Does not apply to “de-identified data”
– Personal Information (broader category under state law)
Personally Identifiable Information (“PII”) Generally defined as combination of first and last name PLUS any one
of the following:
– SSN
– Drivers License No.
– Account No.
– Credit Card No.
– Medical Information
Trade Secrets Mayhem/Tort Liability
090701_7 7
#IHCC142014 ACC-SoCal In-House Counsel Conference
The Threat: What’s Out There?(cont’d)
Cyber Criminals
– Ties to organized crime
– International in nature (particularly Eastern Europe and the former Soviet Union)
– Selling stolen data:PHI/PIITrade secrets
090701_8 8
#IHCC142014 ACC-SoCal In-House Counsel Conference
How Do They Get It? Common Techniques
Spear Phishing– Targeted
– Appear to be authentic emails, with attachments or links containing malware
Malware– Either via email or websites, can give hackers a
“back door” into your network
Distributed Denial of Service (DDoS) Attacks– Often accompanied by fraud
090701_9 9
#IHCC142014 ACC-SoCal In-House Counsel Conference
Corrupt Employees
Paid to steal personal information (SSNs, credit card numbers)
The MOB/Eastern Europeans
Often low tech theft - hard copies
Provide PII to identify theft rings– Fake IDs/credit cards made
– Lines of credit opened at stores
– Prescriptions
090701_10 10
#IHCC142014 ACC-SoCal In-House Counsel Conference
Corrupt Employees (cont’d)
In past six months– Employees steal PI from dental practice, insurer
and rental car company
– Nurse’s Aid indicted in Va. – stealing PI for tax fraud
– Stolen Porsche traced to home where $2.5 million credit card operation discovered
090701_11 11
#IHCC142014 ACC-SoCal In-House Counsel Conference
Target and Neiman Marcus Data Breaches
Type of Breach– Target: outside hacker; likely used RAM scraper
(memory scraping malware), along with other toolsNeiman Marcus: outside hacker– details not disclosed
How many Affected– Target: up to 70 million individuals; 40 million credit
and debit card accounts
– Neiman Marcus: numbers unknown but data reportedly includes credit and debit card numbers, customer names, contact information
090701_12 12
#IHCC142014 ACC-SoCal In-House Counsel Conference
Target and Neiman Marcus Data Breaches (cont’d)
Litigation & Enforcement actions– Target: 40+ class actions, punitive damages
requested; State AG (MA, NY, IL, PA, others) investigations; Senate briefing requests
– Neiman Marcus: likely same as for Target
090701_13 13
#IHCC142014 ACC-SoCal In-House Counsel Conference
HOW TO MANAGE CRISIS WHEN PII COMPROMISEDHow To Manage Crisis When PII Compromised
090701_14 14
#IHCC142014 ACC-SoCal In-House Counsel Conference
1. Do Not Sweep Under the Rug– Will come back to haunt you– Public somewhat sensitized to breaches– Will not tolerate cover-up – cover up
worse than crime– If data missing, beware the “no harm, no
foul” position– Subsequent discovery
Identity theft Whistleblowers Litigation Discovery/Audit
How To Manage Crisis When PII Compromised (cont’d)
090701_15 15
#IHCC142014 ACC-SoCal In-House Counsel Conference
How To Manage Crisis When PII Compromised (cont’d)
2. Be Prepared– Breach Response Plan
GC’s OfficePrivacy OfficeITOutside CounselForensics FirmMedia RelationsDry RunsTraining/Policies to Ensure Incident Reported Up
the Chain
090701_16 16
#IHCC142014 ACC-SoCal In-House Counsel Conference
How To Manage Crisis When PII Compromised (cont’d)
3. Involve In-House/Outside Counsel Immediately– Can assert privilege to maximum extent possible
– Assert privilege over outside consultants
– Use counsel to conduct employee interviews
– Assess claims/positions vs. vendor
– Assess need for law enforcement
– Strategize for long-run -- investigation through class actions
– Don’t want an early false step to jeopardize a defense or position 2 years down the road
090701_17 17
#IHCC142014 ACC-SoCal In-House Counsel Conference
How To Manage Crisis When PII Compromised (cont’d)
4. Investigate– Privilege– Forensics– What data?
PHI PI SSN Credit Card Info
– Whose data? What states involved? Minors Involved?
– What systems?– How accessible is missing data if in wrong hands?– Access to vendors
JDA
090701_18 18
#IHCC142014 ACC-SoCal In-House Counsel Conference
How To Manage Crisis When PII Compromised (cont’d)
5. Mitigate/Remediate– Can you track and recover lost data?
– Can you verify that data not accessed?
– If technical cause, can it be fixed?
– First 24-48 hours critical
– Can’t presume missing data has not been improperly accessed
090701_19 19
#IHCC142014 ACC-SoCal In-House Counsel Conference
How To Manage Crisis When PII Compromised (cont’d)Mitigate/Remediate (cont’d)
– Cyber Breach Can you identify type of infiltration and impact? Can you show forensically that data not accessed? Can you determine if data exfiltrated? Typically, can at least determine what was accessible In case of lost laptop, can usually determine what data
it contained
090701_20 20
#IHCC142014 ACC-SoCal In-House Counsel Conference
– Corrupt Employee Can you track extent of employee’s access? If so, is there a definable group to be notified? If not, must you notify entire population? How widespread is the incident?
Documents discovered in several states Is law enforcement involved?
Can scope of incident be determined through criminal process?
How To Manage Crisis When PII Compromised (cont’d)Mitigate/Remediate (cont’d)
090701_21 21
#IHCC142014 ACC-SoCal In-House Counsel Conference
How To Manage Crisis When PII Compromised (cont’d)
6. Notification Issues – OCR/HIPAA – HI-TECH
– FTC
– State Breach Notification Laws States plus D.C., Puerto Rico and Virgin Islands 46 different standards some involving “risk of
harm” AGs have enforcement authority Timing: “in the most expedient time possible,”
“without unreasonable delay” If required to notify in some states, notify in all
states
090701_22 22
#IHCC142014 ACC-SoCal In-House Counsel Conference
How To Manage Crisis When PII Compromised (cont’d)Notification Issues (cont’d)
– Who notifies – company or vendor?
– Don’t sugarcoat notification letter
– What do you do if you cannot determine extent of incident? Notify everyone? Notify no one?
090701_23 23
#IHCC142014 ACC-SoCal In-House Counsel Conference
How To Manage Crisis When PII Compromised (cont’d)
7. Here Come the Regulators– AGs and FTC
– Be proactive with regulators
– Establish relationship/bring them in the loop
– You don’t want them to find out about this second hand
– Beware of turf wars within a state
– Make sure they know that situation is fluid and you will update them
090701_24 24
#IHCC142014 ACC-SoCal In-House Counsel Conference
How To Manage Crisis When PII Compromised (cont’d)
8. Involve Corporate Communications– States require certain content in notification letters
– Media statement should be consistent with notification letters and call center talking
points
– Inconsistent message will confuse members and embolden Plaintiffs’ attorneys
– AGs may use loose language against you
– Have talking points ready to go prior to notification
090701_25 25
#IHCC142014 ACC-SoCal In-House Counsel Conference
Third Party Vendor
Joint Defense Agreement
Who is notifying members?
Liability for Vendor Conduct
Need to think ahead to class litigation
Need to understand scope of indemnity– Timing of claim
– Tolling Agreement
If ultimate position is common - e.g. class suffered no injury, then need united front in public while deferring any fight with Vendor
090701_26 26
#IHCC142014 ACC-SoCal In-House Counsel Conference
Insurance Issues
Report incident to commence/preserve claim
What kind of policy?
– All Risk
– CGL
– Standalone Cyber Policy
090701_27 27
#IHCC142014 ACC-SoCal In-House Counsel Conference
CGL Policies
Traditional CGL?– Physical loss
– Tangible property
– Personal and advertising injury
Hacking and data breaches not contemplated when standard CGL policies first written
Exclusions for privacy-related action e.g., TCPA claims are getting tighter and more explicit
ISO filed endorsements to become effective 5/14 that excludes claims regarding access/disclosure of confidential PI or data – related liability
090701_28 28
#IHCC142014 ACC-SoCal In-House Counsel Conference
Insurers Contesting Data Breach Coverage Under CGL
Liberty Mutual v. Schuck’s Markets, Inc. (E.D. Mo., August 14, 2013): Liberty Mutual contested coverage under a general liability policy, for losses due to a data breach claiming suits resulting from the breach do not allege bodily injury or property damage. Liberty also contends that the “expected or intended” exclusion precludes coverage (based on Schuck’s delay in reporting the breach).
090701_29 29
#IHCC142014 ACC-SoCal In-House Counsel Conference
Insurers Contesting Data Breach Coverage Under CGL
OneBeacon America Ins. Co. v. Urban Outfitters, Inc. & Anthropologie (E.D. Pa. September 10, 2013): –Class actions have been filed against Urban
Outfitters & Anthropologie, alleging that the stores violated the Credit Card Act by asking customers for their zip codes during credit card transactions as a marketing ploy; –OneBeacon alleges that the underlying
complaints do not amount to an advertising injury under the comprehensive general liability policy at issue.
090701_30 30
#IHCC142014 ACC-SoCal In-House Counsel Conference
Insurers Contesting Data Breach Coverage Under CGL
Zurich American Ins. Co. v. Sony Corp. of America, et. al. (N.Y. Sup. Ct., 7/20/11) Zurich refuses to pay for costs associated with Play Station breach and 55 class actions under CGL because no bodily injury, property damage or personal and advertising injury.
090701_31 31
#IHCC142014 ACC-SoCal In-House Counsel Conference
Insurers Contesting Data Breach Coverage Under CGL
Hartford Casualty Insurance Company v. Corcino & Associates et al (C.D. Cal 10/7/13) court grants MTD ruling that CGL policy covers indemnity of claims under California Confidentiality of Medical Information Act (“CCMIA”) in spite of exclusion disclaiming coverage arising from a right of privacy “created by state or federal act”
090701_32 32
#IHCC142014 ACC-SoCal In-House Counsel Conference
Coverage from territory restrictions
Losses from “named viruses”
Failure to take reasonable security measures
Blogs
Hostilities and warlike operations
Cyber Risk Policies: Common Exclusions
090701_33 33
#IHCC142014 ACC-SoCal In-House Counsel Conference
Emerging Litigation Issues
Typical Claims
– Negligence
– Breach of Contract
– Unfair Trade Practices
– Breach of Privacy
– State Statutes e.g. CMIA
Threshold issues
– Standing to sue (Federal Court)
– Actual injury or harm (common law claims)
090701_34 34
#IHCC142014 ACC-SoCal In-House Counsel Conference
Emerging Litigation Issues (cont’d)
Class Certification Issues– Rare (dismissal or settlement)– Claims often turn on individualized issues or
causation and damages– Thus common questions of law and facts do not
predominate over questions affecting individual members
Damages– Aggregate exposure to nominal damages– Due process violation?
34
090701_35 35
#IHCC142014 ACC-SoCal In-House Counsel Conference
TYPICAL SETTLEMENTS
Non-monetary relief (e.g., credit monitoring)
Monetary payments to privacy non profits (e.g., Privacy Rights Clearinghouse)
Consent decree requiring security improvements
Attorneys fees to Plaintiffs’ counsel
Capped individual payments to Plaintiffs who can prove causation
35